Securing all fronts

Summary:Securing what is sacred to a business takes more than just a new program -- it can be a full-time job, which at times is better left to the experts.ContentsBenefitsHanding over controlWeighing it upSLA securityCase studiesNintendo plays the security gameQueensland company saves with securityThe start of the 21st century has redefined the word "security".

The start of the 21st century has redefined the word "security". Countries go to war for it, constituents vote as a result of it, and companies are learning that to stay safe, and protect valuable assets in these highly technological times: with anxiety increasing in all walks of life, security has become a hot topic, and how it is managed can mean more than just bucks for a business -- reputation, trust and, in-house stability can all rest upon it.

But managing security can be a big headache, and it can be easy to get wrong, especially when basic perimeter security is not enough. Attacks from inside the business are growing and the complexity of the business environment is changing with globalisation. The ability to work remotely, and new technology being designed to link aspects of operation, raise new issues for what was once deemed a simple procedure.

An unprotected firewall can open up thousands of doors for hackers wanting access to your business operations, and spam is constantly being slammed for the thousands of employee hours it can cost each year. Add to this the growing issue of lost business due to down-time, and the ethical issue of keeping your clients safe, and it becomes easy to see why security is no light topic.

Frost & Sullivan analyst James Turner says one of the main reasons the nature of security has had to change is that hackers are becoming much more money-hungry, and extortion and identity theft are becoming a lot more common.

"As capitalism consumes the world, the hackers are coming around to the market's way of thinking and they are looking for their own piece of the action," Turner says.

"As a result, we are going to see an increase of law enforcement on the Internet. Companies are not only going to have to be secure for their own sake, but secure so they can adhere to the new ways of doing business."

So in an effort to erase anxiety, the high cost of security training for IT staff, and company liability, more and more companies are looking to managed security service providers (MSSPs) to manage all or part of their security processes for them. Analyst firm The Yankee Group estimates that by 2010, 90 percent of security operations would be outsourced -- in the US at least.

Services can range from patch management for a particular product, to management of your network's entire security architecture. The companies that we spoke to for this article offered services in the following areas: network intrusion detection and prevention, host intrusion prevention, vulnerability assessments, patch management, firewall and VPN management, and e-mail monitoring for protection from viruses and spam.

Lorenzo Modesto, general manager of MSSP Bulletproof Networks, says a complete outsourced security solution will start with the infrastructure. "You will generally hand this out depending on the skills set and infrastructure you will, or won't, already have in-house," he says. "Managed network security is about prevention -- locking things down so that the managed security provider is not having to chase holes in your system all the time. This is why you start with what is physically there, then determine what requires outsourcing."

The service itself, he says, is all about managing this infrastructure: putting out alerts at times when weaknesses can be found, monitoring how well the infrastructure is working, tuning false positives, and preparing an incident response when a security breach is made.